Basic and Advanced API Test Cases
Basic and Advanced API Test Cases
Checklist Point
1 Host header onfiguration or Host header should be implemented properly
2 X-Rate-Limit and X-Rate-Limit-Remaning headers should be configured
3 Url tampering should not be allowed
4 Authentication Bypass should not be allowed
5 Insecure direct object references should be blocked
6 Clear text sumission of password and other PII data should not be allowed
7 Usage of easily decodable encoding like url encoding or base64 encoding should be prevented
8 Same password should not be reused for other users
9 Whitelist allowable methods
1.Server Side Validation. Have a server side validation routine which performs filtering based on:
a.File extensions
b.Content-Types
c.Magic Numbers
d.File Size.
2.Strongly Validate user input.
3.Check user supplied files or filenames.
4.Check for File extensions and allow only permitted file extensions eg: jpg or png.
5.Do not keep uploaded file under directories that have execute permissions.
7.Install antivirus that detects any malicious file uploaded, in such case discard or delete the file
and do not save it in computer system.
8. Double extensions or null bytes should not be permitted.
Eg: If you enter correct username and wrong password, error should be invalid credentials and not
incorrect password entered
22 Below HTTP Headers should be configured:
X-XSS-Protection
X-Content-Type-Options
Access-Control-Allow-Origin
Cache-control: no-store
Pragma: no-cache
HTTPOnly
Samesite(strict or lax)
Secure
Domain
Path
Yes/No
Sr. No. Test Case/ Attack Name
1 XML Injection
2 XPATH Injection
9 WDSL rendering
Tamper the XML schema/ add xml tags/remove xml tags, and check whether the server accepts
it.
Check for a implementation of a Random token if a server directlty invokes a web service.
Checks to be performed:
Randomness of the token,
Validation of token on the server side,
Reuse of previously assigned token.
If a web server directly calls a web service then the server's IP address should be whitelisted
If an web service is intended for a high privilege user, then try to access the same with a low
privilege login
A user should not be able to view the schema/ xml format of the web service, you can check this
by appending "?wsdl "to the url of the web service
Check for vulnerabilities related to SSL like BEAST, CRIME, POODLE etc. also check for weak
ciphers and self signed certificates
Check for any ora error or any db related error or any such instance that indicate sql injection
possibilities
Check for non error based sql injection like '+'and '||'operators and true false conditions
Check for reflection of string from request getting reflected in responses, and special characters
getting reflected without getting escaping like < >
If the web service is used for login, or login feature is implemented then check for all password
related attacks like:
Password replay
Password Policy
Password verifictaion at server end
Partial/Blank password etc.